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DETAILED ACTION 

Continued Examination Under 37 CFR 1.114 

1 . A request for continued examination under 37 CFR 1.114, including the fee set 
forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this 
application is eligible for continued examination under 37 CFR 1.114, and the fee set 
forth in 37 CFR 1 .17(e) has been timely paid, the finality of the previous Office action 
has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 5/12/08 
has been entered. 

2. Claims 2-14 and 16-21 are pending. 

Response to Arguments 

3. Applicant's arguments with respect to claims 2-14 and 16-21 have been 
considered but are moot in view of the new ground(s) of rejection. 

Claim Rejections - 35 USC §112 

4. The following is a quotation of the second paragraph of 35 U.S.C. 1 12: 

The specification shall conclude with one or more claims particularly pointing out and distinctly 
claiming the subject matter which the applicant regards as his invention. 

5. Claims 2 and 18 are rejected under 35 U.S.C. 112, second paragraph, as being 
indefinite for failing to particularly point out and distinctly claim the subject matter which 
applicant regards as the invention. 
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6. Claims 2 and 18 recites the newly added limitation "the results of pattern 
matching by analyzing means of other agents". There is insufficient antecedent basis 
for this limitation in the claim and the limitation is unclear. 

Claim Rejections - 35 USC § 103 

7. The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

8. Claims 2-1 4 and 1 6-21 are rejected under 35 U.S.C. 1 03(a) as being 
unpatentable over Rowland, US Patent 6,405,318 and further in view of Baker, US 
Patent 6,775,657. 

Regarding claim 2, Rowland discloses a system that detects the state of a computer 

network, comprising: agents/host local controller (fig. 9, #151-153) disposed in said 

computer network, each said agent/host local controller, comprising: 

data collection means/intrusion detection system (fig. 1) for passively collecting, 

monitoring, and aggregating data representative of activities of respective nodes within 

said computer network (log file auditing, fig. 2, and col. 2 lines 40-47); 

means responsive to the data from the data collection means for analyzing said data to 

develop activity models/user profile data or signatures, representative of activities of 

said network in a normal state and activities of said network in an abnormal state; and 
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means for comparing collected data to said activity models to determine the state of 
said computer network at different times and to dynamically update said activity models 
(col. 2 . lines 40-67 and fig. 2), wherein said analyzing means performs a pattern 
analysis on the collected data (fig. 3, #34 and associated text, compares known attack 
patterns). Rowland lacks or does not expressly disclose said comparing means 
compares the results of the pattern analysis to the results of pattern matching by 
analyzing means of other agents to identify similar patterns of suspicious activity in 
different portions of the computer network. However, Baker discloses comparing 
means compares the results of the pattern analysis to the results of pattern matching by 
analyzing means of other agents to identify similar patterns of suspicious activity in 
different portions of the computer network (figs. 2 & 3 and associated text, disclose 
intrusion detection pattern analysis performed by a network node and performed by a 
host node). It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to modify the system of Rowland with the system of Baker to 
compare the results of the pattern analysis to the results of pattern matching by 
analyzing means of other agents to identify similar patterns of suspicious active in 
different portions of the computer network in order to determine if a specific node can be 
trusted, as taught by Baker, (col. 5, lines 10-14). 
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Regarding claim 3, Rowland as modified above discloses the system of claim 2, 
wherein said agents comprises a plurality of distributed agents/host local controllers and 
central system controller (fig. 9. #150 and #151-153). 

Regarding claim 4, Rowland as modified above discloses the system of claim 2, 
wherein said data collection means collects data representative of operation of said 
computer network, including respective nodes in said computer network, said data 
relating to communications, internal and external accesses, code execution functions, 
and/or network resource conditions of respective nodes in said computer network (col. 2 
lines 40-67, Rowland discloses the system coordinates information transfer with host, 
multi-host and network environments to coordinate intrusion response... real-time 
monitoring of log audit files, port scan detection and session monitoring. Fig. 3 
demonstrates monitoring foreign domains). 

Regarding claim 5, Rowland as modified above discloses the system of claim 2, 
wherein said activity models characterize conditions within said computer network 
including behaviors, events, and/or functions of respective nodes of said computer 
network, said behaviors representative of said normal state and one or more abnormal 
states representative of suspicious activity in said computer network, (col. 2 lines 40-67 
disclose the intrusion detection system automatically and dynamically builds user profile 
data for each user that can be used to determine normal actions for each user to reduce 
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the occurrence of false alarms... and fig. 2 shows monitoring suspicious events #15, 
known attacks, #12, known security violations, #13). 

Regarding claim 6, Rowland as modified above discloses the system of claim 2, further 
comprising means for characterizing the state of the computer network and identifying 
any potential threats based on said collected data (figs 4-5 disclose the user profile 
database and user database update function and the anomaly detection function). 

Regarding claim 7, Rowland as modified above discloses the system of claim 6, 
wherein said characterizing means further recommends remedial repair and/or recovery 
strategies to isolate and/or neutralize the identified potential threats to the computer 
system (in the event of a detected threat the control is notified, fig. 5, #55, fig. 6, #85, 
fig. 7, #97; in fig. 8, determine and take appropriate action #127-136). 

Regarding claim 8, Rowland as modified above discloses the system of claim 2, 
wherein respective agents are connected by redundant communications connections 
(fig. 9). 



Regarding claim 9, Rowland as modified above discloses the system of claim 2, 
wherein each agent is implemented in redundant memory and hardware that is adapted 
to be insulated from infected components of said computer network (col. 2, lines 48-67). 
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Regarding claim 10, Rowland as modified above discloses the system of claim 2, 
wherein the agents a plurality of agents are disposed in a hierarchical structure whereby 
communications from bottom level agents to agents at higher levels in the hierarchy are 
limited (fig. 9, local host controller, central system controller, network administrator). 

Regarding claim 1 1 , Rowland as modified above discloses the system of claim 2, further 
comprising means for predictively modeling the behavior of said computer network 
based on sequentially occurring behavior patterns in the data collected by said data 
collection means (col. 5, lines 30-35 and figs. 3-4). 

Regarding claim 12, Rowland as modified above discloses the system of claim 2, 
wherein said comparing means comprises means for pattern matching collected data 
with data in said activity models to determine a closest activity model based upon 
similarity of the data in each data model with the collected data (col. 5, lines 30-35 and 
figs. 3-4). 

Regarding claim 13, Rowland as modified above discloses the system of claim 2, 
wherein the collected data represents actions of a virus, system responses to actions of 
a virus, actions of a hacker, system responses to actions of a hacker, threats directed to 
discrete objects in said computer network, and/or potential triggers of a virus or threat to 
said computer network (col. 6, lines 13-col. 7, line 40 and fig. 6). 
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Regarding claim 14, Rowland as modified above discloses the system of claim 2, 
wherein said analyzing means for each agent filters and analyzes received data and 
dynamically redistributes the analyzed and filtered data to other agents associated with 
said each agent (col. 2, lines 50-66). 

Regarding claim 15, Rowland as modified above discloses the system of claim 2, 
wherein said analyzing means performs a pattern analysis on the collected data and 
said comparing means compares the results of the pattern analysis to the results of 
pattern matching by analyzing means of other agents to identify similar patterns of 
suspicious activity in different portions of the computer network (col. 2, lines 50-66 and 
col. 5, lines 30-35 and figs. 3-4). 

Regarding claim 16, Rowland as modified above discloses the system of claim 2, 
wherein the comparing means compares names and email addresses in said collected 
data against known criminal, hoaxsters and/or aliases for known criminals and 
hoaxsters (col. 10, 27-35 and col. 6, lines 30-51, SMTP). 

Regarding claim 17, Rowland as modified above discloses the system of claim 2, further 
comprising a trusted server that receives attack data from a plurality of agents 
identifying abnormal states indicative of a network attack, said trusted server gathering 
the attack data and sending warnings to selected nodes in said computer network (fig. 
9, #150, central system controller). 
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As per claim 18, this is a method version of the claimed system discussed above in 
claim 1 wherein all claimed limitations have also been addressed and/or cited as set 
forth above. 

Regarding claim 19, Rowland as modified above discloses the method of claim 18, 
wherein the agents reports any suspicious activity that exceeds a suspicion threshold 
(fig. 10 controls the intrusion detection system setup and determines the suspicion 
thresholds). 

Regarding claim 20, Rowland as modified above discloses the method of claim 19, 
wherein the agents transmits said analyzed data in order to determine an origin of the 
suspicious activity in the computer network (col. 2 lines 40-67). 

Regarding claim 21, Rowland as modified above discloses the method of claim 20, 
further comprising scanning said analyzed data for patterns and comparing said 
patterns to data representative of patterns of known threats to said computer network 
for identification of said suspicious activity (col. 5, lines 30-35 and figs. 3-4). 

Conclusion 

9. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to AUBREY H. WYSZYNSKI whose telephone number is 
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(571)272-8155. The examiner can normally be reached on Monday - Thursday, and 
alternate Friday's. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kambiz Zand can be reached on (571 )272-381 1 . The fax phone number for 
the organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 



/Aubrey H Wyszynski/ 
Examiner, Art Unit 2134 

/Kambiz Zand/ 

Supervisory Patent Examiner, Art Unit 2134 



